Perception Cyber Security was the latest product to be reviewed in Network Computing Magazine this month. The magazine is the UK's longest established magazine dedicated to network management, and regularly investigates new and innovative products in the network security space. You can read the full review here.

The review concedes that whilst complete network visibility would be ideal, the mess of data it creates is a curse rather than a blessing. Perception, of course, is designed to declutter this mess automatically, providing the user with actionable intelligence they can use, rather than an overwhelming pool of data they will be forced to ignore.

The reviewer notes the “impressive scope” of Perception, being able to accurately and reliably pick up on the presence of malicious actors, as well as subtle indicators that might show weaknesses in the network before they are exploited.

Also noted by the article is the forensic capability of Perception, describing it as a must for risk mitigation. This feature, “helps by concatenating otherwise isolated events. It could, for example, conclusively prove how a lost laptop was ultimately the source of attack.” It is key features like this that really demonstrate the overall value in Perception, and the benefit that can be gained from complete network visibility.

The article concludes that the mindset that Perception encourages is a requirement for organisations that are ready to engage with the cyber war, “that has only just started”. The final line is particularly glowing, noting (quite rightly) that most cyber attacks are merely grabbing low-hanging fruit, and that Perception, “moves the network away from this category and beyond”.

The full review contains impressive insights into the benefits of proactive security, and is definitely worth a read if you have the time.

Perception was originally developed by Chemring Technology Solutions for the UK Ministry of Defence. Complementing existing computer network security systems, such as firewalls, intrusion detection systems, and antivirus software, Perception is a behavioural analysis system with no rigid rules-based architecture.

The award was presented at a banquet in London's Royal Garden Hotel

Dhiraj Badgujar, Analyst at Frost & Sullivan, said: "The increasing complexity of network security is becoming difficult for businesses to manage, leading to mistakes or gaps for attackers to exploit. With its deep learning capability and the ability to adapt based on changing network behaviours, Perception will enable enterprises to identify future advanced threats before they emerge."

The major differentiating factors of Perception are its ability to identify malicious activity without requiring prior knowledge of the threat, as well as alerting the user to potential vulnerabilities so they can be resolved before an attacker exploits them. This makes it more difficult for malware to evade detection and easier for analysts to proactively detect network vulnerabilities and user error.

As well as detecting threats and vulnerabilities as they happen, Perception uses artificial intelligence (AI) to intelligently interlink network events across months, weeks, and minutes, enabling large-volume data pattern analysis. This significantly improves "low and slow" threat detection capabilities, in addition to providing a low false alarm rate. Perception also detects the slow, unauthorised external extraction of information from the network, even when sophisticated obfuscation techniques are used.

Daniel Driver, Head of Perception Cyber Security, said: "Based on declassified work for national security agencies, Perception takes the fight against cybercrime to a new level. An award from the respected international analyst firm Frost & Sullivan's gives us an unbiased, third-party stamp of approval. The Perception development team truly deserved to be recognised in this way as it proves to us that we have created something truly unique in identifying advanced cyber threats."

For the New Product Innovation Award, Frost & Sullivan analysts followed a 10-step evaluation process to assess Perception's fit against best practice criteria, focusing on two key factors - New Product Attributes and Customer Impact.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today's market participants. For more than 50 years, we have been developing growth strategies for the global 1000, emerging businesses, the public sector, and the investment community.

The Spanish Guardia Civil has chosen Chemring Technology Solutions’ Perception Cyber Security to protect its critical network assets from cyber-attacks, as well identify malicious insiders or other vulnerabilities within the network. The new contract follows a successful product evaluation by Perception and its Spanish partner Eleycon21.

Perception was originally developed for the UK Ministry of Defence and is the world’s first bio-inspired network security system. Once deployed, Perception will complement the Guardia Civil’s existing computer network security systems by identifying the potential threats they cannot.

Eleycon21 distribute and support the Perception product throughout Spain. Gabriel Crespo, Managing Director of Eleycon21, said: “Perception offers a ground-breaking approach to identifying advanced cyber threats and it will deliver the Guardia Civil a distinct advantage. We are therefore delighted to be partnering Perception Cyber Security in the delivery and support of its technology in Spain.”

As Perception is a network behaviour analysis system, it has no rigid “rules-based” architecture and adapts to the network’s changing profile to automatically identify malicious activity, making it more difficult for malware to evade detection. It will also detect the slow, unauthorised external extraction of information from the network, even when sophisticated obfuscation techniques are used.

Daniel Driver, Head of Perception Cyber Security, said: “Eleycon21 has an in-depth knowledge of the dangers posed by today’s more sophisticated network security threats, and they are committed to ensuring that Spain’s leading organisations have the robust cyber protection required to combat them. Their work alongside Guardia Civil in deploying Perception is a demonstration of their commitment to this endeavour and we are delighted to support them.”

Before we start, Microsoft have released an emergency patch for unsupported versions of Windows (XP, 2003, Vista, 2008) here and in March Microsoft released a patch for supported versions of Windows that stops the exploit used in the WannaCrypt attacks, details here

WannaCrypt

Everything you need to know

WannaCrypt (aka WannaCrypt0r, WannaCry, Wcry) is a type of ransomware that proliferated very rapidly, with reports that it had affected several high-profile organisations as of 12th May. Put simply, ransomware is an attack that encrypts files on a machine so they can’t be used, then demands a ransom be paid for them to be decrypted. These types of attacks are common, but this month’s attacks in particular are noteworthy for a number of reasons.

Typically ransomware is what’s known as a Trojan, delivered via email, requiring hundreds of thousands (or potentially millions) of malicious phishing emails to be sent with attachments or links, and affecting those unfortunate enough to open the attachment or link. WannaCrypt had an additional capability, a self-replicating payload (known as a worm) that meant that once it was in a network, it was able to propagate to other machines on that network. In action, this meant that it only took one person in a business to be affected before everyone in that business was also affected. The worm also has the ability to self-replicate to other networks via the internet, depending on that network’s configuration.

There are multiple conflicting reports on whether WannaCrypt was delivered via email or another method, however, the large impact on businesses was largely caused by the self-propagating addition to the ransomware since several machines could be taken out of action if only one machine was initially infected.

The self-propagating fragment of the ransomware uses a vulnerability that was discovered by the US National Security Agency who also developed an associated exploit. We do not know how long they knew about the vulnerability, but unlike security researchers the NSA tend to keep newly discovered exploits to themselves in order to use them for intelligence activities. The particular exploit used by WannaCrypt was used internally as part of a toolkit codenamed ‘EternalBlue’. Last year the NSA themselves were hacked by a group called the ShadowBrokers, who released details of EternalBlue to the public in April, which is why we are now seeing malicious attacks using the same methods.

WannaCrypt can affect all unpatched versions of Windows from XP to Windows 8. Microsoft had patched the vulnerabilities exposed by EternalBlue in March before the exploit was publically released by ShadowBrokers and in the wake of the attack Microsoft released patches for unsupported versions of Windows (this is rare for Microsoft to patch older versions of Windows, but they did so due to the large scale impact of the WannaCrypt attacks).

Multiple organisations were affected by the attack, however it is not yet known (and unlikely we’ll ever know) if these were targeted directly or just randomly happened to be affected. These include Telefonica in Spain, Fedex in the US and the NHS in the UK to name but a few. Remediation and disaster recovery strategies were put in place in affected businesses, such as turning off all IT equipment and rolling back to pre-attack backups, actions which were hugely costly to those affected and may result in a loss of data in the organisation that may not be identified immediately.

As WannaCrypt started to spread uncontrollably, cyber security researchers started digging into the malware to see how it worked. One of these researchers, MalwareTech, noticed that WannaCrypt contacts an external website before activating on a victim machine, however, when they looked to see who owned this domain it was unregistered. They thought it would be useful to register this domain so they could understand how many connections it was receiving and consequently be able to estimate how many machines were being affected by WannaCrypt. In an odd turn of events, WannaCrypt stops running if the domain has been registered when the malware starts running, therefore stopping the malware activating on internet-connected devices that were subsequently hit by it. There’s many reasons for putting this ‘killswitch’ mechanism in malware, the leading theory is that it’s a way of understanding if the machine it’s affecting is being used in a test environment. Since these test environments seldom have internet connections for security reasons, the malware is able to hide from the tests by not activating if there’s no external internet connection. By registering this domain MalwareTech may have vastly reduced the infection rate of the initial version of the malware.

That’s not likely the end of the story for WannaCrypt, in the weeks since the initial infections were identified, variations with alternative killswitches have been created, and there’s even some variations with the killswitch removed entirely. In essence, WannaCrypt is a combination of two attacks, Ransomware and a self-replicating worm; both of these attacks will continue to be produced by malicious actors.

So what can we do to stop these types of attacks going forward? It goes without saying that good security procedures need to be adhered to, keep updating software as soon as possible and make sure not to open links or attachments we weren't expecting to receive. From a business perspective the same advice applies but in situations where older software must be used, for example to control systems that have lifespans of several decades, a method must be in place to identify these vulnerabilities and put protections in place to stop them being attacked. Tools such as Perception can identify vulnerabilities on a network before they are attacked, giving businesses the chance to protect themselves where software updates aren’t possible. If the worst does happen, these types of network monitoring tools can alert an analyst to exactly which files have been encrypted, and which hosts have been affected, assisting greatly in remediation activities.

The BBC consumer advice show, “Watchdog” found hundreds of examples of customers being billed for food that they didn’t order via the restaurant delivery app Deliveroo, forcing the foodies-favourite business to deny that is has been targeted by hackers. The company claimed that the fraudulent orders were made using credentials stolen in other attacks, and only worked on customers that used the same email/password combination for their Deliveroo account.

The customers contacted by the programme, which aired on the 23rd November (you can watch it on iPlayer here until the 23rd December if you are in the UK) all had their money refunded, which is good news, but we don’t know how much has had to be forked out in refunds to affected customers. Deliveroo have since denied that any payment information had been taken, and the transactions were made using a one-click style payment process that doesn’t require customers to input their payment information again for every order.

The advice remains that any online accounts should be protected by a unique password. Although this can rapidly become unmanageable, several password managers are available to stop you forgetting unique passwords for that one website you only use once a year and you’re never going to remember. Apple users can use iCloud keychain, although cross-application support is often lacking, and several Perception staff members use and can vouch for 1Password.

The use of stolen credentials raises an interesting issue for businesses online. Deliveroo obviously benefits from a massively streamlined ordering process, however, is this done to the detriment of security? Deliveroo have stated they will ask for verification when orders are made to new addresses, which should help to stop the fraud entirely (although it still leaves doors open to send as much food as possible to a hacked customer's genuine address in the weirdest hacking prank ever). If Deliveroo is able to prove where the passwords were stolen from, should they be able to make a claim against that organisation since it was technically their fault? Should every breached company be forced to immediately contact all customers and let them know a single password is no longer usable on any other sites?

The European Banking Authority plans to regulate two-factor authentication on all orders over €10 in the near future, but already that has many businesses favouring one-click ordering up in arms stating more business will be lost than the savings made on fraud refunds. Perhaps the responsibility of security lies solely with the consumers themselves, those that reuse passwords only having themselves to blame; we can hardly expect businesses to check all new accounts against haveibeenpwned.com and refusing service to those that have been hacked in the past, can we?

Security experts have disclosed 3 vulnerabilities in Samsung Knox, a piece of software deployed on phones to separate personal and professional data for security purposes, according to Wired.

The Israeli security firm Viral Security Group exposed the flaws on a Samsung Galaxy S6 and a Galaxy Note 5, which allowed full control of each device. Considering the purpose of the software is to maintain the security of a business issued handset whilst allowing the flexibility of a personal device, the businesses that deploy this system may be assuming that these devices are safe despite moving between internal and external (protected and unprotected) network connections.

It's important to note that these vulnerabilities have since been patched in a security update, however, before the patch the researchers at Viral Security Group were able to replace legitimate applications with rogue versions, with access to all available permissions, without the user's notice. Many businesses rely on the Knox software to make sure any connection to a business network is made from the "safe zone" of the phone, and once outside of it's protective environment the personal segment of the phone is used. If movement between these two parts of the device's software is breached the protections are essentially useless and the device once again becomes a BYOD-type threat.

The take-away from this all is that you can't assume your security measures are foolproof, once protections are put in place, a significant responsibility still lies with understanding, controlling, and analysing network traffic.

The full white paper describing the flaws is well worth a read if you have time, but first make sure any devices on your network have fully up to date software.

The attack that resulted in Bangladesh Bank losing $81 million (and nearly losing a further $850 million and $870 million in a foiled later attempt) has also affected other banks, Reuters reports.

According to the new information, SWIFT has sent messages to banks around the world of new breaches, but doesn't specify to what magnitude these breaches occurred. It has, however, suggested that banks increase their security, and to stay particularly vigilant of activity via the SWIFT system. The message later stated that, "The threat is persistent, adaptive, and sophisticated - and it is here to stay."

The original attack on Bangladesh bank used the SWIFT messaging system to transfer funds away from the bank, using malware on the bank's SWIFT terminals. The original injection was via a network switch, and SWIFT have since stated that this switch and other use of legacy networking gear that was to blame, rather than SWIFT itself.

The new victims all shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks. SWIFT has responded with security updates to it's software, but if local security is still lax, and banks don't upgrade to the new software (they have no obligation to), then these attacks may keep occurring.

With so much money on the line, we may see financial institutions deploying more network security tools, and upgrading their switches, in the next few weeks.

Perception is currently looking to hire two new people to join a rapidly growing business area with the feel of a start-up and the support of a multinational defence company. Both of these positions are based at our Roke Manor site, set in the Hampshire countryside just outside of Romsey, containing some of the most beautiful scenery for any workplace in the country, as well as facilities such as a full gym, tennis courts, cricket field, bar, restaurant, coffee shops, and a snooker room.

If you're interested in working in the world of cyber security, take a look at the roles below.

Developer/Analyst

This is an exciting opportunity to join a strong team of developers and analysts and be involved in both the development of the platform and the analysis of the output from live deployments. You'll be working on analysis of live networks, as well as development of analyst-focused features in the product itself. The role requires an understanding of networking technologies and protocols combined with software development skills.

The necessary skills for this role are:

Programming skills - focusing on Java and third party library support, as well as some knowledge of scripting languages such as Python

IT skills - Experience working with Linux, web servers, and SQL databases

Developer (UI focus)

This is an exciting opportunity to join a strong team of developers and be involved in both the design of the interface as well as the underlying functions. You'll be working on the whole life cycle of UI development, from initial scoping with feedback from analysts and customers, through to feature design and implementation. The role requires an understanding of web design using HTML, Javascript (including frameworks such as JQuery and Bootstrap), CSS, and PHP, and appreciation for UI and UX design.

Emergency services technology specialist j3llyh34d 1ndu5tr135 ("Jellyhead") has signed a deal with Chemring Technology Solutions to become a value added reseller for Perception Cyber Security .

j3llyh34d currently provides cyber security services to several UK police and fire services, and Perception will complement its customers' existing computer network security systems by identifying the potential threats they cannot.

Simon Twigg, Managing Director at j3llyh34d, said: "Perception is a revolutionary approach to dealing with advanced threats such as zero-day vulnerabilities, targeted vectors and blackmarket rootkits, as well as information leakage. We are delighted to partner Chemring Technology Solutions in the delivery and support of this game-changing technology. Perception is the first security solution we have seen that gives the good guys a sustainable advantage over the bad guys. We believe the security landscape will be profoundly and irreversibly changed by this lateral approach."

As Perception is behavioural it has no rigid "rules-based" architecture and adapts to the network's changing profile to automatically identify malicious activity, making it more difficult for malware to evade detection. It will also detect the slow, unauthorised external extraction of information from the network, even when sophisticated obfuscation techniques are used to evade traditional rule-based security defences.

Daniel Driver, Head of Perception Cyber Security at Chemring Technology Solutions, said: "j3llyh34d have proven their in-depth knowledge of a very technical area, and share our passion for solving some of the toughest problems in cybersecurity today. We believe they have the capacity and the knowledge base to provide significant value to their customers using the power of the Perception technology."

Last week's data breach from the accountancy and payroll software firm Sage seems to have come from a malicious insider, if the arrest of a company employee at Heathrow airport is anything to go by.

Whilst it is still unclear what information may have been leaked, Sage started notifying the affected customers earlier in the month that some of their information, possibly including names, addresses, and bank account details, may have been compromised. Exact numbers of affected companies and individuals remain unknown, but 280 businesses are thought to have had personal information of their employees compromised.

The first thought for anyone in network security naturally goes to asking themselves the question, "how can I stop this from happening to me?" Whereas firewalls and endpoint protection can protect against malicious software and human-borne policy breaches, little protection exists against an employee with access to sensitive data leaking information.

First, as always, is training. Employees that understand the implications of data breaches, and how to protect themselves can be a better network security system than even the most advanced protection software. This advice remains the same for protecting against intentional data exfiltration too. Employees that understand how seriously their company takes data protection are less likely to run the risk of breaching company policy. Of course, this won't be true in every case, so given a determined insider, what's next?

Companies need to restrict who's accessing what data. Locking down sensitive information to only those who need to access it greatly reduces the number of potential leaks. Not only does this make incident response easier, but a 50% reduction in how many employees can access sensitive data means halving the number of employees that could leak data in the first place. Tying data access to individual accounts is a must when dealing with data that is considered sensitive, whether it's customer data, company data, or valuable intellectual property held by a business.

There are also internal systems that can restrict how much data is sent from a network, as well as where data can be sent. Locking down services such as Dropbox, OneDrive, or iCloud Drive can cut off the exfiltration route immediately, the same goes for restricting USB use on client devices. Proper deployment of policy management can reduce exfiltration vectors across the board, making large external data transfers far easier to see when using network monitoring techniques.

Which brings us onto the last point, using network monitoring systems. Proper visibility of network activity is the key to understanding data flow throughout a network, as well as into and, crucially, out of a protected network. Deploying tools that can carry out this task has the dual benefit of finding the attack phase of data-theft malware, as well as insiders intentionally leaking data. For the more advanced thief, slow leaking of data can also be picked up, often reducing the number of affected customers. Perhaps Sage could have picked up on this activity earlier, and reduced the number of affected customers to double figures, instead of hundreds of them?

Large numbers of businesses around the world aren't equipped for countering these types of threats, our conversations with the market suggests that most UK businesses have no method of detecting authorised personnel leaking data, with a preference in focusing network security on known malware.